debugging when columns are not filled out

tb5821 · ‎11-09-2018

How does one debug searches when you expect a column to be filled out yet its not?

sourcetype=mongo_stats 
| streamstats current=f last(count) as last_count last(_time) as time_of_last_change by namespace
| eval diffoflastchange=now()-time_of_last_change
| eval HH:MM:SS_since_last_change=tostring(diffoflastchange,"duration")
| rename count as current_count 
| fieldformat current_count=tostring(current_count,"commas") 
| table namespace current_count  HH:MM:SS_since_last_change lastChange | addcoltotals current_count | dedup namespace  | sort -current_count

for some reason the only columns I get are namespace and current count - the others are all blank but the logic to calculate the others looks right!

kmaron · ‎11-09-2018

In my experience it's best to strip down to the first piece and make sure it works then add back a piece at a time. so start with your streamstats and make sure its giving you what you expect.

 sourcetype=mongo_stats 
 | streamstats current=f last(count) as last_count last(_time) as time_of_last_change by namespace

is count a field that already exists in your sourcetype? if not you'll need a stats to do your counting before the streamstats.

tb5821 · ‎11-09-2018

yes it exists - problem seems to be that it can't tie the eval fields to the right namespace field?

debugging when columns are not filled out

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life